- September 23, 2015
- Innominate Security Technologies AG
- Case Study
FRIMO has integrated 80 remote service connectivity solutions. Using VNC (virtual network computing) software, the entire screen content of the remote computer is transmitted and can be used by the service technician like a local PC.
September 23, 2015 - The equipment manufacturers at FRIMO have found a secure solution that not only requires less administration but is suitable as a centralized solution for a large number of subsidiaries.
FRIMO specializes in the development and manufacturing of production systems for high-quality plastic components for a wide range of applications. Today, the FRIMO network comprises 15 global locations with a total of 1,200 employees. FRIMO has many years of experience with remote service, especially in the automotive environment. Already 20 years ago, machine operators were supported by a remote service technician in the event of machine downtime via analog modems and telephone links. Despite the limited bandwidth of the analog 56 kbit/s modems, access to programmable logic controllers (PLCs) in the machines was still relatively efficient. “Increasingly powerful industrial PCs have since taken over more and more functions in our machines. Analog connections are no longer sufficient to ensure remote maintenance for these computers,” says Axel Starflinger, IT Administrator at FRIMO.
Troubleshooting and enhanced services from a distance Analog technology has meanwhile been replaced with broadband Internet access, which is used to establish tap- and manipulation-proof connections through VPN (virtual private network) tunnels. Thanks to the faster data connection between the customer’s plant and the manufacturer’s service technician, the machines’ industrial PCs too can now be conveniently operated. Using VNC (virtual network computing) software, the entire screen content of the remote computer is transmitted and can be used by the service technician like a local PC.
FRIMO primarily utilizes remote service for rapid fault clearance. Expanded services are also available. As the support needs of its customers are continually rising, FRIMO intends to expand its remote service over time. “We adapt our machines to the specific requirements of our customers. With fast and secure VPN connections, we have access to all the devices in the machine. For example, our service allows us to remotely set up an extra checkbox in the PC’s visualization system, or adjust the parameters of a frequency converter,” explains Axel Starflinger.
A secure, efficient and easy-to-use remote service solution Meanwhile, FRIMO has integrated 80 remote service connectivity solutions of the type “mGuard” from security specialist Innominate. In an initial attempt, though, a different broadband remote maintenance solution had been used.
“The technology from a large manufacturer proved to be far too complex and expensive in daily operations. It was not an acceptable long-term solution. We tested various alternatives and decided to go with the Innominate mGuard. With the mGuard, we have found a very secure, efficient, and, above all, easy-to-use solution. The time we spend on configuration has been reduced from several hours to a few minutes,” the IT administrator says, describing his experience. Due to the uniform, standardized configuration templates for the mGuard, any configuration effort at the machine end is low.
Configuring a VPN router in minutes Ever since, if a machine needs to be equipped for remote maintenance, FRIMO exclusively uses Innominate’s mGuard technology. To set up the remote maintenance solution, a complete configuration template is read into the mGuard via an SD card. This defines almost all the required parameters. Then only customer-specific entries for the VPN connection, the customer network’s default router and the machine’s IP addresses need to be added. Address conflicts are avoided by mapping the real addresses of the machine network onto virtual IP addresses through the 1:1 NAT (network address translation) function of the VPN router. Additional adjustments to the machine’s internal address space are no longer necessary.
At its headquarters, FRIMO is deploying an mGuard bladeBase for up to 12 mGuards in a 19-inch standard rack system. All technical parameters and authorizations are already set up, so a new machine can simply be added and connected, without any additional entries having to be made. All FRIMO locations are connected to headquarters via an internal MPLS network. When servicing is required, a technician from any location obtains remote access to the customer’s machine via the blades in headquarters using the VPN connection – depending on his or her authorization level. “With our centralized solution, we have created a uniform and standardized access solution for all our subsidiaries. This simplifies operation, and the administration costs are considerably less,” says Axel Starflinger.
A high security standard accepted in the automotive sector The FRIMO IT administrator confirms that machine operators are generally skeptical or hostile towards the idea of external access to their production networks. This is especially true for manufacturers and suppliers in the automotive sector. “Security concerns are initially high. However, the benefits of rapid troubleshooting and the security features of our mGuard solution are very convincing,” says the IT administrator.
The mGuards, which are developed and manufactured in Germany, integrate three coordinated security components on the basis of a hardened embedded Linux: a bidirectional stateful firewall, a flexible NAT router and a secure VPN router with IPsec encryption (IP security protocol). The machine operators’ IT teams attach great importance to one protective aspect of the mGuard in particular: it prevents external access to the machine by default. A secure data connection can only be established with the explicit authorization of the machine operator via a VPN hardware switch. Access to the machine is thus always initiated by an outgoing connection that is controlled by the customer.
Recommendable solution “The mGuard solution is suitable for industrial use. It is secure and easy to administer. Innominate’s support staff are very dedicated and will always find a solution, even for complex problems. For example, we recently had a large accumulation of open sessions in our MPLS network and suspected a remote service problem. A specialist from Innominate checked the log file of the central mGuard. His analysis helped us to find the problem within a few hours,” says Axel Starflinger, summarizing the good experience he’s had.
Did you enjoy this great article?
Check out our free e-newsletters to read more great articles..Subscribe